Very often. those who professionally investigate human beings have to determine if she is dealing with a real person or an invented identity.

In social discussion, countless times I’ve heard people refer to “the fake me” – a conjured identity that the user employs for his own reasons, which can range from the benign (isolating marketers) to the dangerous (a criminal seeking new prey). More often than not, the braggart is not an IT person – or a detective – and believes that by cobbling together a few “borrowed” digital photos and planting them as profile pics on social media, he can tweet away under his fake identity with no one the wiser. Professional investigators look for this rather lazy pattern (same pics across various platforms) as one of the first clues that they are dealing with a manufactured identity rather than an actual person.

Few people really know how to create an alternative identity and one of those rare people is Aaron Brown. His story, in his own words, is as fascinating as it is correct.

(Reprinted with permission.)

HOW TO INVENT A PERSON ONLINE

by Curtis Wallen, (07/23/2014), The Atlantic

It’s not an exaggeration to say everything you do online is being followed. And the more precisely a company can tailor your online experience, the more money it can make from advertisers. As a result, the Internet you see is different from the Internet anyone else might see. It’s seamlessly assembled each millisecond, designed specifically to influence you. I began to wonder what it would be like to evade this constant digital surveillance—to disappear online.

From that question, Aaron Brown was born.

My project started at a small coffee shop in Bed-Stuy, Brooklyn. With the help of Tor—a software program that uses layers of encryption to anonymize online activity—I searched Craigslist and tracked down a handful of affordable laptop computers for sale in New York City. I registered a new email address with the (now-defunct) Tormail anonymous email provider and arranged to buy a used Chromebook.

xxxxxxxxxxxxxx@xxxxxxx.com (1/27/13 – 11:23):

I’m punctual, I will be there on time at 1. Theres an atrium at citi center, will let you know when I’m there.

clcrb@tormail.org (1/27/13 – 11:25):

Perfect. See you there.

xxxxxxxxxxxxxx@xxxxxxx.com (1/27/13 – 12:59):

Im here in the atrium at 53rd and lex… Gray jacket, blonde hair. Sitting at a table

The meeting was quick. I wore a hat. I kept my head down. The man at the table in a gray jacket was a real person—in a busy public place full of cameras—who could later potentially connect me to the computer. These face-to-face moments left me the most vulnerable. If I was going to evade online surveillance, I had to avoid any ties between my digital footprint and the physical world.

When I got home I immediately reformatted the computer’s hard drive and installed a Linux partition. This meant I could encrypt and cosmetically “hide” the part of my computer that was using Linux. My new laptop would boot up Chrome OS like any other Chromebook, unless I gave it the command to boot up Linux instead. I never connected to anything using Chrome OS. And on the Linux side, I never accessed the Internet without Tor, and I never logged into anything that had any connection to Curtis Wallen.

For a couple months I poked around on the darknet—a hidden network that relies on nonstandard connections. At first, my goal was simply to exist as an anonymous user. However, I realized that this meant fundamentally changing my relationship to the Internet. I couldn’t log in to Facebook, I couldn’t send emails as Curtis, I couldn’t use the Internet the way most of us normally do. I simply couldn’t be me if I wanted to stay hidden. So my original idea began to shift. Rather than simply evade digital tracking, I began to play with the idea of generating a new digital person, complete with the markers of a physical identity. I gathered my roommates and took a series of portraits that fit the requirements for passport photos. I then carefully isolated various features from each one in Photoshop and composited a completely new face: Aaron Brown.

Up to that point, I had been largely operating on instinct and common sense. Now that my project was expanding, I figured it’d probably be a good time to reach out to someone who actually knew what she or he was doing.

I created a new Tormail account, the first evidence of my new person—aaronbrown@tormail.org––and sent an encrypted email to the enigmatic researcher Gwern Branwen, asking what advice he’d give to someone “new to this whole anonymity thing.” Branwen replied with a simple but crucial piece of advice:

“Don’t get too attached to any one identity. Once a pseudonym has been linked to others or to your real identity, it’s always linked.”

Taking Branwen’s advice to heart, I put a sticky note next to my keyboard.

When most people think of Internet surveillance, they imagine government bureaucrats monitoring their emails and Google searches. In a March 2014 study, MIT professor Catherine Tucker and privacy advocate Alex Marthews analyzed data from Google Trends across 282 search terms rated for their “privacy-sensitivity.” The terms included “Islam”, “national security”, “Occupy”, “police brutality”, “protest”, and “revolution.” After Edward Snowden’s leaks about NSA surveillance, Tucker and Marthews found, the frequency of these sensitive search terms declined—suggesting that Internet users have become less likely to explore “search terms that they [believe] might get them in trouble with the U.S. government.” The study also found that people have become less likely to search “embarrassing” topics such as “AIDS”, “alcoholics anonymous,” “coming out,” “depression,” “feminism,” “gender reassignment,” “herpes,” and “suicide”—while concerns over these more personal terms could have as much to do with startling Google ads, the notable decrease observed in the study suggests the increased awareness of surveillance led to a degree of self-censorship.

In other words, people are doing their best to blend in with the crowd.

The challenge of achieving true anonymity, though, is that evading surveillance makes your behavior anomalous—and anomalies stick out. As the Japanese proverb says, “A nail that sticks out gets hammered down.” Glenn Greenwald explained recently that simply using encryption can make you a target. For me, this was all the more motivation to disappear.

I’d created a false human being, but instead of a carefully coordinated deception, the result was simply babble.

Aaron had a face, but lacked “pocket litter”—an espionage term that refers to physical items that add authenticity to a spy’s cover. In order to produce this pocket litter, I needed money—the kind of currency that the counterfeit professionals of the darkweb would accept as payment. I needed bitcoin, a virtual currency that allows users to exchange goods and services without involving banks. At that time, one of the few services that exchanged cash for bitcoin was a company called Bitinstant. I made my way to a small computer shop in the Chinatown neighborhood of Manhattan to make the transfer.

At a small, teller-like window, I filled out the paperwork using fake information. Unwisely, I wrote down my name as Aaron Brown— thus creating one of the links to my real identity I should have been avoiding. As a result, my receipt had “Aarow Brown” printed on it. It seemed fitting that the first physical evidence of Aaron’s existence was a misspelled name on a receipt from a computer shop.

When I got home, 10 bitcoin were there waiting for me in my virtual wallet, stored on an encrypted flash drive. I made the necessary contacts and ordered a counterfeit driver’s license, a student ID, a boating license, car insurance, an American Indian tribal citizenship card, a social security card scan (real social security cards were a bit out of my budget), and a cable bill for proof of residency. The final bill came out to just over 7 bitcoin, roughly $400 at the time.

As I waited for my pile of documents, I began crafting Aaron’s online presence. While exploring message boards on the darknet, I came across the contact information for a self-proclaimed hacker called v1ct0r who was accepting applications to host hidden services on a server he managed. I messaged him with a request to host Aaron’s website. He was happy to offer a little space, under two conditions: “no child porn nor racism; Respects the rules or i could block/delete your account.”

I also set up a simple web proxy so that anyone could contribute to Aaron’s online presence. The proxy serves as a middleman for browsing the Internet, meaning any website you visit is first routed through the proxy server. Anyone who browses using the proxy is funneling traffic through that one node—which means those web pages look like they’re being visited by Aaron Brown.

Aaron’s Twitter account worked much the same way. There was a pre-authenticated form on the project website, allowing anyone to post a tweet to Aaron’s feed. As Aaron’s creator, it was fascinating to see what happened once strangers started interacting with it regularly. People would tweet at their friends, and then Aaron would received confused replies. Under the guise of Aaron, people tweeted out, jokes, love messages, political messages, and meta-commentaries on existence. I even saw a few advertisements. Ultimately, the account was suspended after Spanish political activists used it to spam news outlets and politicians.

In a sense, I was doing the opposite of astroturfing, a practice that uses fake social media profiles to spread the illusion of grassroots support or dissent. In 2011, the Daily Kos reported on a leaked document from defense contractor HBGary which explained how one person could pretend to be many different people:

Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. … In fact using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise … There are a variety of social media tricks we can use to add a level of realness to all fictitious personas.

Aaron Brown turned that concept inside out. With a multitude of voices and interests filtering through one point, any endeavor to monitor his behavior or serve him targeted ads became a wash. None of the information was representative of any discrete interests. The surveillance had no value. I’d created a false human being, but instead of a carefully coordinated deception, the result was simply babble.

“The Internet is what we make it,” wrote security researcher Bruce Schneier in January 2013, “and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.”

For those of us who feel confident that we have nothing to hide, the future of Internet security might not seem like a major concern. But we underestimate the many ways in which our online identities can be manipulated. A recent study used Facebook as a testing ground to determine if the company could influence a user’s emotional disposition by altering the content of her or his News Feed. For a week in January 2012, reseachers subjected 689,003 unknowing users to this psychological experiment, showing happier-than-usual messages to some people and sadder-than-usual messages to others. They concluded that they had “experimental evidence for massive-scale contagion via social networks” because users responded by publishing more positive or negative posts of their own, depending on what they saw in their own feeds.

The U.S. Department of Defense has also figured out how influential Facebook and Twitter can be. In 2011, it announced a new “Social Media in Strategic Communication” (SMISC) program to detect and counter information the U.S. government deemed dangerous. “Since everyone is potentially an influencer on social media and is capable of spreading information,” one researcher involved in a SMISC study told The Guardian, “our work aims to identify and engage the right people at the right time on social media to help propagate information when needed.”

Private companies are also using personal information in hidden ways. They don’t simply learn our tastes and habits, offering us more of what want and less of what we don’t. As Michael Fertik wrote in a 2013 Scientific American article titled “The Rich See a Different Internet Than the Poor,” credit lenders have the ability to hide their offers from people who may need loans the most. And Google now has a patent to change its prices based on who’s buying.

Is it even possible to hide from corporate and government feelers online? While my attempt to do so was an intensely interesting challenge, it ultimately left me a bit disappointed. It is essentially impossible to achieve anonymity online. It requires a complete operational posture that extends from the digital to the physical. Downloading a secure messaging app and using Tor won’t all of a sudden make you “NSA-proof.” And doing it right is really, really hard.

Weighing these trade-offs in my day-to-day life led to a few behavioral changes, but I have a mostly normal relationship with the Internet—I deleted my Facebook account, I encrypt my emails whenever I can, and I use a handful of privacy minded browser extensions. But even those are steps many people are unwilling, or unable, to take. And therein lies the major disappointment for me: privacy shouldn’t require elaborate precautions.

No one likes being subliminally influenced, discriminated against, or taken advantage of, yet these are all legitimate concerns that come with surveillance. These concerns are heightened as we increasingly live online. Digital surveillance is pervasive and relatively cheap. It is fundamentally different than anything we’ve faced before, and we’re still figuring out what what the boundaries should be.

For now, Aaron’s IDs and documents are still sitting inside my desk. Aaron himself actually went missing a little while ago. I used Amazon’s Mechanical Turk marketplace to solicit descriptions from strangers, and then hired a forensic artist to draw a sketch. He resurfaced on Twitter. (You can go here to try tweeting as Aaron Brown.) But other than that, no word. I have a feeling he’ll probably pop up in Cleveland at some point.

Everyone always seems to get sucked back home.

******

One thing we seem to forget as we go through our daily online lives is to trust our gut instincts. If something feels off, your primal brain is sensing it before the logical side can identify the issue. Trust your instincts – after all, we are – literally and virtually – all strangers online.

Who. What.

For the trial law and legal community from a private investigator's perspective.
The Beacon Bulletin is the weekly newsletter authored and published by our parent company, Beacon Network Investigations, LLC (BNI).
We're a private investigation company. We DON'T dispense legal advice, respond to anonymous queries or black hat your enemies for you. (Internally, however, points are alloted to our favorite subtly phrased compliments.)
We DO hope to inform. That's our business.